An unresolved security flaw in Java Web Start could be putting millions of Windows users at risk. The bug  discovered by Tavis Ormandy  allows arbitrary options to be passed to the Java virtual machine via the javaws command line application. This gives an attacker the opportunity to execute malign JAR files on the victim’s computer.